tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: JAAS Realms, cookies and authentication
Date Thu, 11 Oct 2007 17:24:33 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Iain,

Emsley, I (Iain) wrote:
> What I'm trying to achieve is when the user logs in on main site and
> clicks the link to the Java calendar, the link will read the cookie
> (extracting the user name/password and converting into hex to send back
> to the main config files to check if its valid whilst also checking that
> they are a member of our service) and then grant access to the
> application on success.

Shouldn't this happen automatically? When the browser makes an HTTP
connection to your server, as long as the hostname and path match, the
cookie will be sent automatically. Am I misunderstanding your thought?

Are you trying to implement "remember me" functionality?

> I was looking at the JAAS realm since the user information is kept in
> what is essentially a flat file db and trying to write a LoginModule
> which replicates the existing Perl scripts actions for checking
> username/password and membership.

I have no experience with JAASRealm. Would it be easier to write a
simple Realm instead of dealing with JAAS?

> AFAIUI, I'd need to write a servlet to
> process the cookie before hitting the JAAS realm though.

That's not going to happen: if you're using Tomcat's built-in
authentication and authorization mechanism, then basically none of your
code gets to run before the authentication is performed (unless you
write your own Realm, or JAAS LoginModule).

> Have I
> understood this correctly or can I get the LoginModule to do the
> processing (which appears to be implied in the Tomcat manual on Realms)?

Hopefully, the request object is available to your LoginModule or Realm
in order to do the authentication. That would allow you to substitute
the authentication information from the cookie instead of attempting to
get it from the request (parameters).

> Ultimately I will need to be able to log users in via http, https and
> the Shibboleth Single Sign On (for which I know there is a JAAS realm).

Aah, a better reason to use JAAS ;)

> As I understand it, as long as I have a config which lists all the
> various login methods, I should be able to stack these onto one Tomcat,
> or have I also misunderstood this? 

Sorry, I can't answer this, but I think that's what JAAS was made for:
multiple authentication methods glued together, and a simpler, more
stable interface (LoginModule) for implementation.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHDlxR9CaO5/Lv0PARAlr3AJ9LDhSciOxAXJZ94uu5eOkNdoodhQCfZHtG
PPrHJfLQe4qapF3p7xv4Y6k=
=W8zh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message